If the client certificate was created by a CA that is trusted by the IIS computer, then it is possible this error is caused by a known issue with Windows 2000 when it is configured to "Trust Only Enterprise Root Stores."
If you do have a client certificate that was created by a CA trusted by the IIS computer, then it is possible that your Windows 2000 domain has been configured with a group policy that forces the IIS computer to "Trust Only Enterprise Root Stores." If this policy is in enabled, the authentication will still fail, even if the CA is a Trusted Root Store.
To work around this issue, remove the Group Policy Trust only Enterprise Root stores option for the domain. To do this, perform the following steps:
- Start the Default Domain Policy Group Policy Editor.
- Select Computer Settings, choose Computer Configuration, and then select Windows Settings.
- Choose Security Settings, select Public Key Policies and then choose Trusted Root Certification Authorities.
- Right-click Trusted Root CA node, and then select Properties.
- Disable the Trust only Enterprise Root stores option.
Номер статьи: 252657 — последний просмотр: 24 янв. 2012 г. — редакция: 1